Netzwerkanalyse, Fehlersuche, Testberichte
Home / News
Netzwerkanalyse
Grundlagen
Verkabelung
Erste Schritte
Baselining
Let's sniff
Tools
Auswerten/Filtern
Typische Probleme 1
Typische Probleme 2
Sicherheit
Bücher
Tutorials
Cacti
DSL einrichten
DynDNS einrichten
m0n0wall | pfSense
Nmap
VirtualBox
Wireshark
Forum
Shop
FAQ
Know How
Testberichte
Hardware-DB
Events
Netzwerklexikon
Links / Service
Suche
Kontakt
Impressum
Feedback
Sitemap
Partner
Unser Partner für
SSL Zertifikate
ist Checkdomain GmbH.
Know How

Netgear VPN Logs verstehen

Die VPN-Router der ProSafe-Serie von Netgear unterstützen IPSec-VPN. Das VPN-Log des Routers enthält wichtige Hinweise für die Fehlersuche bei VPN-Problemen. Die folgenden Logs stammen von einem FVS336G mit Firmware Version 3.0.3-17. Das Logging der Router FVX538, FVS338, DGFV338 und FVG318 ist sehr ähnlich. Der Client für diese Test war ein Apple Mac unter Mac OS X 10.5 mit dem VPN Tracker 5 von equinux.

Log des Netgear Routers

Die folgenden Auszüge aus dem VPN-Log eines FVS336G zeigen einige typische Fehler beim Einrichten einer VPN-Verbindung.

Eintrag im VPN-Log

2009 Apr 10 08:43:32 [FVS336G] [IKE] Could not find configuration for 192.168.178.32[500]_

Ursachen / Lösungen

  • Der Router erkennt den Client nicht. Entweder ist die Remote ID im Router oder die Local ID im Client fehlerhaft. Kontrollieren Sie diese Einträge. Die Remote ID im Router entspricht der Local ID im Client und umgekehrt.
  • Fehler im ID-Type (IP-Adresse, FQDN, User-FQDN). Der ID-Type auf Router und Client müssen übereinstimmen.
  • Der Router steht auf Aggressive Mode und der Client auf Main Mode. Beide Seiten müssen auf den selben Mode eingestellt sein.

Eintrag im VPN-Log

2009 Apr 10 15:26:01 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:26:01 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:26:01 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:26:01 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:26:01 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:26:01 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:26:01 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:26:01 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_

Ursachen / Lösungen

Falsche Remote ID (Kennung des Routers) im Client eingetragen.

Eintrag im VPN-Log

2009 Apr 10 15:27:53 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:27:53 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:27:53 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:27:53 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:27:53 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:27:53 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:27:53 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:27:53 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:27:54 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.34[500]_
2009 Apr 10 15:27:54 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.32[500]_
2009 Apr 10 15:27:54 [FVS336G] [IKE] NAT not detected _
2009 Apr 10 15:27:54 [FVS336G] [IKE] ISAKMP-SA established for 192.168.178.34[500]-192.168.178.32[500] with spi:08d276365f5a0c18:9f88f60f7fed26ca_
2009 Apr 10 15:27:54 [FVS336G] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2009 Apr 10 15:27:54 [FVS336G] [IKE] purging spi=56061082._
2009 Apr 10 15:27:54 [FVS336G] [IKE] Responding to new phase 2 negotiation: 192.168.178.34[0]<=>192.168.178.32[0]_
2009 Apr 10 15:27:54 [FVS336G] [IKE] Failed to get IPsec SA configuration for: 11.0.0.0/24<->192.168.178.32/32 from macbook_
2009 Apr 10 15:28:24 [FVS336G] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=08d276365f5a0c18:9f88f60f7fed26ca._
2009 Apr 10 15:28:25 [FVS336G] [IKE] ISAKMP-SA deleted for 192.168.178.34[500]-192.168.178.32[500] with spi:08d276365f5a0c18:9f88f60f7fed26ca_

Ursachen / Lösungen

Es ist ein falsches remote IP-Netz im Client eingetragen. Im Client muss das LAN-Netz und die Subnetmask des Routers eingetragen werden.

Eintrag im VPN-Log

2009 Apr 10 15:30:27 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:30:27 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:30:27 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:30:27 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:30:27 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:30:27 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:30:27 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:30:27 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:30:27 [FVS336G] [IKE] Rejected phase 1 proposal as Peer's encryption type "Blowfish-CBC" mismatched with Local "3DES-CBC"._
2009 Apr 10 15:30:27 [FVS336G] [IKE] No suitable proposal found for 192.168.178.32[500]._
2009 Apr 10 15:30:27 [FVS336G] [IKE] Failed to get valid proposal for 192.168.178.32[500]._

Ursachen / Lösungen

Falsche Proposals für Phase 1 im Client. Der VPN-Router steht auf 3DES, der Client auf Blowfish.

Eintrag im VPN-Log

2009 Apr 10 15:39:42 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:39:42 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:39:42 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:39:42 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:39:42 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:39:42 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:39:42 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:39:42 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:39:42 [FVS336G] [IKE] Rejected phase 1 proposal as Peer's dh_group "1024-bit MODP group" mismatched with Local "1536-bit MODP group"._
2009 Apr 10 15:39:42 [FVS336G] [IKE] No suitable proposal found for 192.168.178.32[500]._
2009 Apr 10 15:39:42 [FVS336G] [IKE] Failed to get valid proposal for 192.168.178.32[500]._

Ursachen / Lösungen

Falsche Proposal für Phase 1. Der Router steht auf DH Group 1, der Client auf DH Group 2. Die Diffie-Hellman-Gruppe muss in Router und gleich identisch eingestellt sein.

Eintrag im VPN-Log

2009 Apr 10 15:31:46 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:31:46 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:31:46 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:31:46 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:31:46 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:31:46 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:31:46 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:31:46 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:31:46 [FVS336G] [IKE] Rejected phase 1 proposal as Peer's hashtype "MD5" mismatched with Local "SHA"._
2009 Apr 10 15:31:46 [FVS336G] [IKE] No suitable proposal found for 192.168.178.32[500]._
2009 Apr 10 15:31:46 [FVS336G] [IKE] Failed to get valid proposal for 192.168.178.32[500]._

Ursachen / Lösungen

Falsche Proposals für Phase 1 im Client. Netgear-Router auf SHA1 eingestellt, Client auf MD5.

Eintrag im VPN-Log

2009 Apr 10 15:32:53 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:32:53 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:32:53 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:32:53 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:32:53 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:32:53 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:32:53 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:32:53 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:32:53 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.34[500]_
2009 Apr 10 15:32:53 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.32[500]_
2009 Apr 10 15:32:53 [FVS336G] [IKE] NAT not detected _
2009 Apr 10 15:32:53 [FVS336G] [IKE] ISAKMP-SA established for 192.168.178.34[500]-192.168.178.32[500] with spi:8dee0a66bb7497e2:f66c3fed47500a2c_
2009 Apr 10 15:32:53 [FVS336G] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Responding to new phase 2 negotiation: 192.168.178.34[0]<=>192.168.178.32[0]_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Using IPsec SA configuration: 10.0.0.0/24<->0.0.0.0/0 from macbook_
2009 Apr 10 15:32:54 [FVS336G] [IKE] No policy found, generating the policy : 192.168.178.32/32[0] 10.0.0.0/24[0] proto=any dir=in_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Peer's Proposal:_
2009 Apr 10 15:32:54 [FVS336G] [IKE] (proto_id=ESP spisize=4 spi=08294e6e spi_p=00000000 encmode=Tunnel reqid=0:0)_
2009 Apr 10 15:32:54 [FVS336G] [IKE] (trns_id=RIJNDAEL encklen=256 authtype=hmac-sha)_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Local Proposal:_
2009 Apr 10 15:32:54 [FVS336G] [IKE] (proto_id=ESP spisize=4 spi=00000000 spi_p=08294e6e encmode=Tunnel reqid=0:0)_
2009 Apr 10 15:32:54 [FVS336G] [IKE] (trns_id=3DES encklen=0 authtype=hmac-sha)_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Phase 2 proposal by 192.168.178.32[0] did not match._
2009 Apr 10 15:32:54 [FVS336G] [IKE] No suitable policy found for 192.168.178.32[0]_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]_
2009 Apr 10 15:32:54 [FVS336G] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=8dee0a66bb7497e2:f66c3fed47500a2c._
2009 Apr 10 15:32:55 [FVS336G] [IKE] ISAKMP-SA deleted for 192.168.178.34[500]-192.168.178.32[500] with spi:8dee0a66bb7497e2:f66c3fed47500a2c_

Ursachen / Lösungen

Falsche Proposals für Phase 2. Verschlüsselung im Router auf 3DES eingestellt, Client auf AES-256.

Eintrag im VPN-Log

2009 Apr 10 15:34:21 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:34:21 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:34:21 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:34:21 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:34:21 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:34:21 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:34:21 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.34[500]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.32[500]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] NAT not detected _
2009 Apr 10 15:34:21 [FVS336G] [IKE] ISAKMP-SA established for 192.168.178.34[500]-192.168.178.32[500] with spi:8d5deb52aea7f7dd:9fef75fd94c81c8e_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Responding to new phase 2 negotiation: 192.168.178.34[0]<=>192.168.178.32[0]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Using IPsec SA configuration: 10.0.0.0/24<->0.0.0.0/0 from macbook_
2009 Apr 10 15:34:21 [FVS336G] [IKE] No policy found, generating the policy : 192.168.178.32/32[0] 10.0.0.0/24[0] proto=any dir=in_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Peer's Proposal:_
2009 Apr 10 15:34:21 [FVS336G] [IKE] (proto_id=ESP spisize=4 spi=0add3ced spi_p=00000000 encmode=Tunnel reqid=0:0)_
2009 Apr 10 15:34:21 [FVS336G] [IKE] (trns_id=3DES encklen=0 authtype=hmac-md5)_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Local Proposal:_
2009 Apr 10 15:34:21 [FVS336G] [IKE] (proto_id=ESP spisize=4 spi=00000000 spi_p=0add3ced encmode=Tunnel reqid=0:0)_
2009 Apr 10 15:34:21 [FVS336G] [IKE] (trns_id=3DES encklen=0 authtype=hmac-sha)_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Phase 2 proposal by 192.168.178.32[0] did not match._
2009 Apr 10 15:34:21 [FVS336G] [IKE] No suitable policy found for 192.168.178.32[0]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]_
2009 Apr 10 15:34:21 [FVS336G] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=8d5deb52aea7f7dd:9fef75fd94c81c8e._
2009 Apr 10 15:34:22 [FVS336G] [IKE] ISAKMP-SA deleted for 192.168.178.34[500]-192.168.178.32[500] with spi:8d5deb52aea7f7dd:9fef75fd94c81c8e_

Ursachen / Lösungen

Falsche Proposals für Phase 2 (Integrity Algorithm), Router auf SHA1, Client auf MD5.

Eintrag im VPN-Log

2009 Apr 10 15:41:48 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:41:48 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:41:48 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:41:48 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:41:48 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:41:48 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:41:48 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:41:48 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:41:49 [FVS336G] [IKE] Ignore information because ISAKMP-SA has not been established yet._

Ursachen / Lösungen

Der Pre-shared Key (PSK) auf Router und Client simmen nicht überein. Unter Umständen können Sonderzeichen im PSK Probleme verursachen.

Eintrag im VPN-Log

2009 Apr 10 15:43:52 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:43:52 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:43:52 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:43:52 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2009 Apr 10 15:43:52 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:43:52 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:43:52 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:43:52 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:43:52 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:43:52 [FVS336G] [IKE] Rejected phase 1 proposal as Peer's authentication method "XAuth psk server" mismatched with Local "pre-shared key"._
2009 Apr 10 15:43:52 [FVS336G] [IKE] No suitable proposal found for 192.168.178.32[500]._
2009 Apr 10 15:43:52 [FVS336G] [IKE] Failed to get valid proposal for 192.168.178.32[500]._

Ursachen / Lösungen

Im Client ist XAUTH aktiviert, im Router nicht.

Eintrag im VPN-Log

2009 Apr 10 15:46:53 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:46:53 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:46:53 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:46:53 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:46:53 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:46:53 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:46:53 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:46:53 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:46:53 [FVS336G] [IKE] Rejected phase 1 proposal as Peer's authentication method "pre-shared key" mismatched with Local "XAuth psk server"._
2009 Apr 10 15:46:53 [FVS336G] [IKE] No suitable proposal found for 192.168.178.32[500]._
2009 Apr 10 15:46:53 [FVS336G] [IKE] Failed to get valid proposal for 192.168.178.32[500]._

Ursachen / Lösungen

Im Router ist XAUTH aktiviert, im VPN-Client nicht.

Eintrag im VPN-Log

2009 Apr 10 15:48:14 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:48:14 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:48:14 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:48:14 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2009 Apr 10 15:48:14 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:48:14 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:48:14 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:48:14 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:48:14 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:48:15 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.34[500]_
2009 Apr 10 15:48:15 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.32[500]_
2009 Apr 10 15:48:15 [FVS336G] [IKE] NAT not detected _
2009 Apr 10 15:48:15 [FVS336G] [IKE] Sending Xauth request to 192.168.178.32[500]_
2009 Apr 10 15:48:15 [FVS336G] [IKE] ISAKMP-SA established for 192.168.178.34[500]-192.168.178.32[500] with spi:cdc7dd7dcaaf879c:639fea600181da3c_
2009 Apr 10 15:48:15 [FVS336G] [IKE] Received attribute type "ISAKMP_CFG_REPLY" from 192.168.178.32[500]_
2009 Apr 10 15:48:15 [FVS336G] [IKE] Login failed for user "user"_
2009 Apr 10 15:48:15 [FVS336G] [IKE] Sending Informational Exchange: delete payload[]_
2009 Apr 10 15:48:16 [FVS336G] [IKE] an undead schedule has been deleted: 'ph1_main'._
2009 Apr 10 15:48:16 [FVS336G] [IKE] Received mode config from 192.168.178.32[500], but we do not have ISAKMP-SA._

Ursachen / Lösungen

Fehler beim Username oder Password bei XAUTH.

Eintrag im VPN-Log

2009 Apr 10 15:58:08 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 15:58:08 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 15:58:08 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 15:58:08 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2009 Apr 10 15:58:08 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 15:58:08 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 15:58:08 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 15:58:08 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 15:58:08 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 15:58:10 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.34[500]_
2009 Apr 10 15:58:10 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.32[500]_
2009 Apr 10 15:58:10 [FVS336G] [IKE] NAT not detected _
2009 Apr 10 15:58:10 [FVS336G] [IKE] Sending Xauth request to 192.168.178.32[500]_
2009 Apr 10 15:58:10 [FVS336G] [IKE] ISAKMP-SA established for 192.168.178.34[500]-192.168.178.32[500] with spi:03cdacb3d74c830d:49ead1d297abc155_
2009 Apr 10 15:58:10 [FVS336G] [IKE] Received attribute type "ISAKMP_CFG_REPLY" from 192.168.178.32[500]_
2009 Apr 10 15:58:10 [FVS336G] [IKE] Login succeeded for user "user"_
2009 Apr 10 15:58:13 [FVS336G] [IKE] Received attribute type "ISAKMP_CFG_REQUEST" from 192.168.178.32[500]_
2009 Apr 10 15:58:13 [FVS336G] [IKE] Local configuration for 192.168.178.32[500] does not have mode config_
- Last output repeated 3 times -
2009 Apr 10 15:58:13 [FVS336G] [IKE] Ignored attribute 5_
2009 Apr 10 15:58:13 [FVS336G] [IKE] Ignored attribute 6_
2009 Apr 10 15:58:13 [FVS336G] [IKE] Local configuration for 192.168.178.32[500] does not have mode config_
- Last output repeated 5 times -
2009 Apr 10 15:58:13 [FVS336G] [IKE] Ignored attribute 28678_
2009 Apr 10 15:58:13 [FVS336G] [IKE] Local configuration for 192.168.178.32[500] does not have mode config_

Ursachen / Lösungen

Client will Mode Config (automatische Konfiguration), im Router ist Mode Config nicht eingerichtet.

Eintrag im VPN-Log

2009 Apr 10 16:01:13 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 16:01:13 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 16:01:13 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 16:01:13 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2009 Apr 10 16:01:13 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 16:01:13 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 16:01:13 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 16:01:13 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 16:01:13 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 16:01:14 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.34[500]_
2009 Apr 10 16:01:14 [FVS336G] [IKE] NAT-D payload matches for 192.168.178.32[500]_
2009 Apr 10 16:01:14 [FVS336G] [IKE] NAT not detected _
2009 Apr 10 16:01:14 [FVS336G] [IKE] Sending Xauth request to 192.168.178.32[500]_
2009 Apr 10 16:01:14 [FVS336G] [IKE] ISAKMP-SA established for 192.168.178.34[500]-192.168.178.32[500] with spi:d27de22a817f97eb:aa93be72576fb460_
2009 Apr 10 16:01:14 [FVS336G] [IKE] Received attribute type "ISAKMP_CFG_REPLY" from 192.168.178.32[500]_
2009 Apr 10 16:01:14 [FVS336G] [IKE] Login succeeded for user "user"_
2009 Apr 10 16:01:14 [FVS336G] [IKE] purging spi=213435223._
2009 Apr 10 16:01:14 [FVS336G] [IKE] 172.16.0.1 IP address is assigned to remote peer 192.168.178.32[500]_
2009 Apr 10 16:01:14 [FVS336G] [IKE] Responding to new phase 2 negotiation: 192.168.178.34[0]<=>192.168.178.32[0]_
2009 Apr 10 16:01:14 [FVS336G] [IKE] Failed to get IPsec SA configuration for: 10.0.0.0/24<->192.168.178.32/32 from macbook_
2009 Apr 10 16:01:15 [FVS336G] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=d27de22a817f97eb:aa93be72576fb460._
2009 Apr 10 16:01:16 [FVS336G] [IKE] ISAKMP-SA deleted for 192.168.178.34[500]-192.168.178.32[500] with spi:d27de22a817f97eb:aa93be72576fb460_
2009 Apr 10 16:01:16 [FVS336G] [IKE] 172.16.0.1 IP address has been released by remote peer._
2009 Apr 10 16:01:16 [FVS336G] [IKE] No policy found: 172.16.0.1/32[0] 0.0.0.0/0[0] proto=any dir=in_
2009 Apr 10 16:01:16 [FVS336G] [IKE] No policy found: 0.0.0.0/0[0] 172.16.0.1/32[0] proto=any dir=out_

Ursachen / Lösungen

Router will Mode Konfig durchführen, Client nicht.

Eintrag im VPN-Log

2009 Apr 10 16:04:38 [FVS336G] [IKE] Remote configuration for identifier "macbook" found_
2009 Apr 10 16:04:38 [FVS336G] [IKE] Received request for new phase 1 negotiation: 192.168.178.34[500]<=>192.168.178.32[500]_
2009 Apr 10 16:04:38 [FVS336G] [IKE] Beginning Aggressive mode._
2009 Apr 10 16:04:38 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2009 Apr 10 16:04:38 [FVS336G] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2009 Apr 10 16:04:38 [FVS336G] [IKE] Received unknown Vendor ID_
- Last output repeated 6 times -
2009 Apr 10 16:04:38 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
2009 Apr 10 16:04:38 [FVS336G] [IKE] For 192.168.178.32[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2009 Apr 10 16:04:38 [FVS336G] [IKE] Rejected phase 1 proposal as Peer's authentication method "pre-shared key" mismatched with Local "RSA signatures"._
2009 Apr 10 16:04:38 [FVS336G] [IKE] No suitable proposal found for 192.168.178.32[500]._
2009 Apr 10 16:04:38 [FVS336G] [IKE] Failed to get valid proposal for 192.168.178.32[500]._

Weiterführende Informationen

Bei Fragen wird Ihnen im Netzwerkforum geholfen.

 

 
© 2004-2015, network lab - we make your net work - Netzwerkforum
aktualisiert am 22.03.2012